CVE-2026-53471

CRITICAL

Migration-planner: agent api ignores jwt source_id claim

Title source: cna

Description

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

References (3)

Core 3

Core References

Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-53471

Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat

RHBZ#2487070

https://bugzilla.redhat.com/show_bug.cgi?id=2487070

https://github.com/kubev2v/migration-planner/pull/1213

Scores

CVSS v3 9.6

EPSS 0.0028

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-639

Status published

Published Jun 10, 2026

Tracked Since Jun 10, 2026